Ransomware Attack Reported by American Baptist Homes of the Midwest

American Baptist Homes of the Midwest (ABHM), a provider of assisted living and assisted care facilities throughout the U.S Midwest, has reported a security breach involving the use of ransomware on its network.

The attack commenced on or around March 10, 2019. The attack was detected promptly, but only after the encryption routine had commenced. The attack was stopped and affected accounts were secured, but not in time to prevent widespread file encryption. The files encrypted by the ransomware contained the records of many ABHM clients.

ABHM’s clinical and billing systems were not affected, only general file systems and email accounts. The attack is believed to have been conducted with the sole purpose of extorting money from ABHM, although due to the nature of access gained to install the ransomware, unauthorized accessing of protected health information could not be ruled. No evidence of data theft or misuse of PHI has been found to date.

The types of information stored on the compromised servers and systems included individuals’ names and addresses in combination with the following data elements: Social Security numbers, financial information, diagnoses, lab test results, medications and some other medical information.

Assisted by a third-party data forensics company, ABHM was able to successfully remove the ransomware from its systems and restore encrypted data from backups.

To improve security and prevent further cyberattacks, ABHM engaged the services of a cybersecurity expert who conducted an in-depth risk assessment to identify potential risks and vulnerabilities.

Technical security measures have now been implemented to enhance security. Those measures include the strengthening of password requirements, the use of rate limiting to prevent brute force attacks on its systems, and a 24/7 security monitoring system to safeguard all ABHM data.

All affected individuals have now been notified by mail and the incident has been reported to law enforcement and the HHS’ Office for Civil Rights (OCR). The OCR breach portal indicates 10,993 individuals were affected by the attack.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.